The new malware, dubbed "ProxyShellMiner", exploits Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners and profit from attackers.
ProxyShell is the common name for three Microsoft Exchange vulnerabilities discovered and fixed back in 2021. Together, the vulnerabilities allow remote code to execute without authentication, giving attackers full control over a specific Exchange server, as well as the ability to connect to other servers in the organization.
In the attacks seen by Morphisec, attackers use the ProxyShell vulnerabilities tracked as CVE-2021-34473 and CVE-2021-34523 and CVE-2021-31207 to gain initial access to an organization's network.
The attackers then drop the .NET malware payload into the NETLOGON folder of the domain controller to ensure that all devices on the network can run the malware. To activate it, a command line parameter is required, which is duplicated as a password for the XMRig Miner component.
Next, the second loader creates a scheduled task on the infected system, which will launch the malware every time the user logs in. And then the malicious software, using the “Process Hollowing” method, introduces the miner into the user’s installed Internet browser and selects a random mining pool from the programmed list. After that, the process of cryptocurrency mining begins on the compromised computer.
The final step in the chain of attack is to create a Windows Firewall rule that blocks all outgoing traffic from the system in order to reduce the chances of detecting infection tokens or receiving any warnings of a potential compromise.
Morphisec warns that the impact of modern malware goes beyond DDoS attacks, server performance degradation and overheating of computers. After all, once hackers gain a foothold in the network, they can do anything at all. From deploying a backdoor to executing malicious code.
To mitigate the risk of ProxyShellMiner infection, Morphisec recommends that all administrators apply available security updates and use comprehensive software solutions to detect and eliminate threats.